Kodiak Sciences Inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

Kodiak Sciences Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 16:20:20 EDT.

Filings

10-K filed on 2025-03-27

Kodiak Sciences Inc. filed a 10-K at 2025-03-27 16:20:20 EDT
Accession Number: 0000950170-25-046098

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, hardware, software, and our high value data, including intellectual property, trade secrets, confidential and sensitive information (collectively, “Information Systems and Data”). Our management team works with our digital transformation team in an effort to identify, assess and manage the Company’s cybersecurity threats and risks. Depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage, mitigate and remediate material risk from cybersecurity threats to our Information Systems and Data. These measures include but are not limited to firewalls, endpoint detection and response, antivirus programs, email security measures, backups and recovery procedures, privileged access management, multi-factor authentication schemes, data encryption, automatic patching, and security system information event monitoring to detect and respond to any emerging threats. Our information security and privacy policy framework includes standards for incident response, vulnerability management, data protection and logical access controls. Our assessment and management of material risks from cybersecurity threats are integrated into our Company’s overall risk management process, which, in part, establishes intended uses of our computerized systems and identifies critical and/or material risks. After a system reaches operation, the risk management approach continues following processes for change control, system maintenance, logical access control, discre pancy management and periodic review. We use independent service providers to assist us from time to time in an effort to identify, assess, and manage material risks from cybersecurity threats. We periodically conduct vulnerability assessments and perform intrusion and penetration testing to evaluate our cybersecurity response capabilities. We maintain cybersecurity awareness training for our employees and periodically perform phishing simulations. We routinely communicate with employees about the potential for cybersecurity threats, including the latest adversary trends and social engineering techniques and how to avoid them, and the best use of our established communications channels. We have a vendor management process designed to manage cybersecurity risks associated with our use of third parties. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve varying methods of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under “Part I, Item 1A. - Risk Factors” in this Annual Report on Form 10-K, including the risk factor titled “If our information technology systems, or those of third parties with whom we work, or our data, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions, significant fines or other liability, interruptions of our development programs, harm to our reputation, and other adverse consequences.” Governance The Nominating and Corporate Governance Committee of our Board of Directors is responsible for overseeing cybersecurity risk management processes, including oversight and mitigation of risk from cybersecurity threats. The Nominating and Corporate Governance Committee receives reports, as necessary, from the Chief Financial Officer of the Company regarding cybersecurity threats or incidents. Our cybersecurity risk assessment and management processes are implemented and maintained by our digital transformation team under the supervision of the Chief Financial Officer and Chief Executive Officer of the Company, both of whom have experience in business operations including risk management and oversight of information technology functions within the biopharmaceutical industry. Our digital transformation team includes members with relevant expertise in cybersecurity, incident response, and the safeguarding of company assets. The digital transformation team undertakes efforts to learn about the Company’s cybersecurity threats by reviewing security assessments and other security-related reports. 68 Our cybersecurity incident response and vulnerability management follow our information security and privacy policy framework. This framework is designed to escalate certain cybersecurity incidents to the Chief Financial Officer an d , depending upon an incident’s particular facts, the Chief Financial Officer will report certain cybersecurity incidents to the Nominating and Corporate Governance Committee of the Board of Directors .

Company Information